Detect Process Doppelganging in Elastic Security
Adversaries may inject malicious code into process via process doppelganging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelganging abuses Windows Transactional NTFS (TxF) to perform a fileless variation of process injection. The technique involves four steps: Transact (create a TxF transaction and overwrite a legitimate executable with malicious code), Load (create a shared section from the modified file), Rollback (undo the file changes, removing malicious code from disk), and Animate (create a process from the tainted memory section). This evades detection because the malicious code never exists on disk in its final form and the technique avoids highly-monitored API functions like NtUnmapViewOfSection.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.013 Process Doppelgänging
- Canonical reference
- https://attack.mitre.org/techniques/T1055/013/
Elastic Detection Query
process where event.type == "start" and
(
process.command_line : ("*CreateFileTransacted*", "*NtCreateSection*", "*RollbackTransaction*", "*NtCreateProcessEx*")
or
(
process.name in~ ("svchost.exe", "explorer.exe", "notepad.exe", "cmd.exe") and
not process.parent.name in~ ("services.exe", "svchost.exe", "winlogon.exe", "userinit.exe", "wininit.exe") and
(process.pe.company == null or process.pe.company == "")
)
)Detects Process Doppelganging by identifying NTFS Transaction API strings in process command lines and anomalous system process creation where known Windows binaries lack PE version metadata and are spawned by unexpected parent processes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers using Windows Transactional NTFS for atomic file operations may surface TxF API strings in debug or verbose command-line output
- Enterprise deployment tooling (SCCM, Ivanti) that spawns svchost.exe or explorer.exe via wrapper processes during patch cycles
- Custom in-house applications or security tools that invoke system binaries from non-standard parent processes during automated maintenance tasks
Other platforms for T1055.013
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NTFS Transaction API Check
Expected signal: Sysmon Event ID 1: PowerShell execution. The API check itself generates no injection telemetry — it only verifies API availability.
- Test 2Kernel Transaction Manager Log Verification
Expected signal: Sysmon Event ID 1: PowerShell querying event log configuration. No security event generated — this is a configuration check.
- Test 3Process Doppelganging Detection via Hollowing Artifacts
Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. The parent-child anomaly (notepad from PowerShell) triggers Process Hollowing detections that also cover Doppelganging.
References (5)
- https://attack.mitre.org/techniques/T1055/013/
- https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
- https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
- https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.013/T1055.013.md
Unlock Pro Content
Get the full detection package for T1055.013 including response playbook, investigation guide, and atomic red team tests.